skip to primary navigationskip to content

Security and Protection

Information Services has a license for some Intel Security (McAfee) anti-virus products, which are available free of charge to all students and staff of the University and Colleges. The license also allows for use on home machines. Once installed the products will automatically check for and download new anti-virus definitions daily. Download page:

Security and Protection details:

Stay Safe Online  


Phishing is any attempt by attackers to steal valuable information by pretending to be a trustworthy party, it’s a form of social engineering attack. So an attacker might impersonate a bank to obtain credit card numbers or bank account details. It gets its name from ‘fishing’ – as in ‘fishing for information’, the process of luring people to disclose confidential information.

Phishing relies on people trusting official looking messages, or conversations with apparently authoritative individuals, as being genuine. It is widespread and it can be enormously costly to people who find their bank accounts emptied, credit references destroyed or lose personal or sensitive information.

Email phishing

The use of electronic technologies to perform phishing attacks was described in the late 1980s, but the term did not become commonplace until the mid 1990s when a program called AOHell allowed AOL users to impersonate other people (including the founder of AOL itself).

Phishing became increasingly common as more and more people connected for the first time and began receiving official looking messages that looked very much like those sent out by genuine organisations such as banks, stores and government departments. What most of these users did not realise was that not only could email addresses be faked, but that electronic data can be easily copied – just because an email claims to come from your bank and has your bank’s logo doesn’t mean that it is genuine.

Phishing emails may be indiscriminate. A phisher will create an email asking the user to get in touch with a bank or credit card company claiming that there is a problem with the account or that the bank may have lost some money. These sorts of messages make people justifiably worried and more likely to follow the instruction. The phisher will then include some plausible looking details such as the bank’s logo and address and then send it to millions of individuals. Among all the recipients, a few people will have accounts with that bank and will click the link in the message, or telephone a number, which will begin the process of eliciting further personal information.

What to do

If you do receive an email that worries you from an organisation such as a bank or shop that you use, do not click on or follow the links in the message. Get in touch with their customer services department, or log in to your account through their website. Type in their web address or use the address in your list of favourite sites, or use their published phone number. Most organisations will have a published policy of not asking for sensitive information such as your password through email or over the phone so you should be suspicious of anything that contravenes this policy.

Social media phishing

Although email still accounts for the majority of phishing attacks, the technique is also used in social media sites as well as in text messages. The same rules apply – if in doubt, go to the official site and make contact with the company through their published links. pPhishing can sometimes be targeted at individuals or specific parts of an organisation. These attacks, commonly called a ‘spear phishing attack’, will depend on detailed information about the target. For example, an attacker might use information gleaned from recent emails to craft a plausible reply that appears to come from colleagues of the targeted user.

Attackers may also include links to malware-infected software in personal messages posted in social media. This is especially common after major disasters or during fast-breaking news when people are likely to click on interesting looking links without thinking carefully.

Phishing is just one type of spam email which clutters our mailboxes and often delivers unsuitable or even illegal content to individuals.


Spam is yet another consequence of the early internet being developed by people who trusted one another. Just as we have had to protect computer networks against hackers, as more and more people have accessed the internet, email has become a tool that anyone can use for good or bad.

Most internet email is moved around the world using the Simple Mail Transfer Protocol (SMTP) which defines a standard template of commands and formatting that allow different mail programs, on a huge range of computers, to understand one another. Protocols are used to specify a set of special messages that should be exchanged between computers to achieve a particular functionality, in this case the delivery of email.

SMTP was defined when the internet had only a tiny number of users, so the original specification did not include any way for computers to authenticate one another, i.e. there was no way of knowing if the message claiming to come from TrustedBank actually came from TrustedBank’s computers. This weakness was addressed in a later extension to SMTP called SMTP-AUTH, but crucially it was not required, and so almost all mail servers still accept unauthenticated messages.

Spammers can attack a mail system by changing the information stored in email ‘envelopes’ which enclose the messages themselves. This is known as ‘spoofing’ and allows a spammer to disguise their actual address by writing new addresses for the sender (such as replacing their own address with that of TrustedBank) and the destination for receipts. Since SMTP servers do not perform any authentication, they simply pass on the email without checking that it was sent out by TrustedBank.


Simple spoofing is now being challenged by technologies that allow genuine senders to authenticate messages which can be checked by the recipient’s mail server, however only about half of all mailboxes have any protection against spoofing.

Provided a spammer has access to a fast network (or increasingly to a botnet), spam costs the sender almost nothing and although only a tiny fraction of users will respond to a spam message, sufficiently vast numbers of emails are sent that the rewards far outweigh the costs. It has been estimated that seven TRILLION spam messages, making up more than 85% of all email, were sent during 2011 alone. Such is the torrent of spam that internet service providers and companies have to buy far more bandwidth and storage than they will ever need for legitimate purposes.

Spotting a phishing email

Although a phishing attack may appear plausible at first glance, there are some tell-tale signs that should make you very cautious about clicking on any links or giving any personal information to the supposed sender.

Read through the points below to find out what to look out for.

  • Spelling mistakes Most English-language phishing expeditions are sent from countries where English is not the primary language. Attackers often give themselves away by imprecise use of English, even with quite common phrases, and including spelling errors. So read the message carefully.

  • Who is it to? Many, but not all phishing attacks do not use your name in the introduction – preferring ‘Dear valued customer,’ or ‘Dear user,’. This is because they cannot personalise the emails sufficiently. Your bank or online store can do this and should address you as ‘Dear Bob,’ or ‘Dear Mrs Jones,’ (or whatever your name is).

  • Poor quality images Sometimes, the images used in the emails are fuzzy, or your information may appear as an image rather than type. These images have been copied from screens and would not be used by original companies. It is easy to obtain images every bit as good as the originals though, so a high quality image should not persuade you the message is genuine.

  • Content of the email In almost all countries, banks and other financial bodies will not email you to tell you about problems with your account. They recognise that email is fundamentally insecure and that personal information should not be sent by email. So, even the method of communication will give you a clue about whether it’s genuine. The email may give a false sense of urgency, claiming that your account is at risk if you do not act quickly. This is not the case.

  • Links The text of a web link is not the same as the destination of the link itself – the link might say it is taking you to, but in fact it can take you anywhere on the web – including to a phisher’s computer impersonating that of a reputable company. You can easily spot a fake link by hovering your mouse pointer over the link – but do not click the button. The actual destination of the link will appear at the bottom of the window or in a small floating window next to the link. In a phishing email, the link will probably be to an address you aren’t familiar with.

The example message below claims to come from a fictional site called ePay and is about unauthorised activity on the account. The link says it goes to ePay’s site, but the address is slightly different and is unlikely to be owned by ePay.

Example screen shot of a web page displaying a phishing email. Tab states: MyEmail – Inbox. Web address line states: Navigation across the top of the example web page: Inbox, Sent, Junk Mail, Contacts, Recycle Bin, Settings. Content of the message: logo of ePay, Dear ePay customer, We recently reviewed your account, and we suspect an unauthorised transaction on your account. Protecting your account is our primary concern. As a preventive measure we have temporary limited your access to sensitive information. 
To ensure that your account is not compromised, simply hit the link below and confirm your identity as a member of ePay.
*Please do not reply to this message, Mail sent to this address cannot be answered. 
Copyright © 2007-2014 ePay. All rights reserved. 
A mouse arrow is hovering over the web site address and at the bottom of the message there is the address to which this link points. It is:

A phishing email claiming to come from the fictional ePay site

So the rules are to be suspicious and to look at the details of the message, the language, the quality of the images and where the links actually take you. Banks and shops will always prefer you to call them and check rather than risking your security.

Emails are not the only phish

Please don’t think that malware is spread solely through email. Malware will be spread through any means possible.

Malware can be distributed by including it with pirated material such as illegal copies of software, video games and movies. Malware can also be installed on your computer by clicking links on websites – especially sites that distribute illegal copies of software, videos and pornography – or by annoying pop-up windows that claim to have identified problems with your computer (quick tip – they probably haven’t! but it’s a great prompt to run your antivirus software and remind yourself what a genuine alert looks like on your computer).

A recent trend is for malware to be spread through social networking services. Once it is on a machine running social networking software, the malware masquerades as the real user and posts messages containing links to sites that distribute yet more malware.

Once again, this type of malware relies on social engineering to multiply – users of social networks are highly likely to click on links they think have come from friends and spread the infection. Most of these social networking infections have exploited weaknesses in client software rather than the web versions of the networks, so it is important to keep social networking client software, such as the Facebook App for mobile devices, up to date.


Botnets are created using malware that give an attacker control over a group of computers and commonly use them to gather information from the computers (e.g., usernames and passwords), launch attacks against others. These attacks might be sending spam emails, or flooding a website with so many requests for content that the server cannot cope, which is known as a denial-of-service attack.

A single piece of malware can cause enormous damage, but when thousands, or even millions of computers run the same program, their effects can be devastating. So a botnet is a group of computers that coordinate their activity over the internet. There are a number of harmless botnets used for such purposes as the Internet Relay Chat (IRC) text messaging program, but the vast majority are created by malware.

Botnets spread through viruses and worms and once installed on the victim’s computer they use the internet to make contact with a control computer. At this point, the infected computer (often called a zombie) will do nothing more except periodically check for instructions from the control computer. Over time, more and more computers are recruited to the incipient botnet until it may contain tens of thousands of zombies, but they don’t raise suspicion as they appear to be doing nothing.

At some point in the future, the control computer will issue a command for the botnet to wake up and begin doing something. Often the people who created the botnet itself have either sold or rented the botnet to another group who want to use its capabilities.

Botnets have been used to flood the internet with spam messages, to commit fraud against advertisers and to perform so-called distributed denial of service attacks on companies and governments. Botnets are so large, and so widely distributed across the internet that they can be very hard to tackle and the effects of a coordinated attack on critical parts of the network can mean even very large websites struggle to remain online while the botnet targets their computers.

The following are transcripts of the videos available here: Stay Safe Online 

Financial Fraud via email forgery...

Scammers may impersonate someone you know using email to commit financial fraud. Be particularly wary of any email requesting money or any details about your financial credentials. This is one of the many types of scam you may face. An initial email requested a money transfer using a forged email address that appeared to be from the Head of Faculty. The recipient was Joanna, a busy administrator of the same faculty. Joanna sent a reply, but she didn't notice that the Reply-To address was to a gmail one and not the usual @cam address that the message appeared to come from. Joanna received another email, but she became suspicious so she consulted a member of the IT staff who advised that she call Professor Smith directly to confirm the transaction. It was a FINANCIAL SCAM. Be on your guard. Before responding to such an email, STOP! THINK! If unsure, consult your IT Officer as to whether the email is genuine. Also, contact the sender of the email by other means, for example over the phone or in person to confirm the transfer. This should also protect you in case the email address is genuine but it has been compromised by hackers. A little caution can avoid an expensive and distressing mistake. These criminals will try to prevent you replying to the person they are impersonating, that would give the game away. So they may try to hide the actual address where your reply is sent. Your local IT officer or the service desk staff at UIS will know how to check whether an email is legitimate by looking at additional information about the message. This is found in something called the "headers" which are usually hidden by most email apps. So If you receive an email asking you to make an urgent or unexpected payment then do ask your local IT staff to help. Another common financial scam comes from messages telling you there has been a last minute request for a change of financial details such as the bank sort code and account number, STOP! Phone the supplier directly to confirm this change. It is best to use the phone number on the supplier's website rather than one given in the message itself – this is another way of protecting yourself from a scam. Also do not provide your bank account, credit or debit card or any other financial details to someone without being certain of their identity. If you need advice don’t hesitate to ask your local IT department , Computer Officer or the UIS Service Desk for help. Please forward any suspicious emails to immediately or use our online form. The world of cyber crime is evolving everyday. Scammers use email in many ways which could pave the way for a future financial fraud. Anything unusual about an email message should wave a red flag.

STOP! THINK! Before you CLICK!

How do I recognise a legitimate login page from a fake one?

Scammers will target you with phishing emails. These may include a link taking you to a fake web site pretending to use the University's Raven login page. If you enter your University username and password scammers can use your account to commit frauds These could include sending phishing emails from your account or on behalf of senior staff if you manage their accounts. If a link in an email takes you to a Raven login page, BEFORE entering your password, make sure the web page is legitimate. This is what you SHOULD see and can TRUST. Look in the address bar, and note the start of the Raven login address, Firstly make sure that the domain name is correct. The “domain” is the first part of the web address, for Raven this will always be Another thing you can check is that the page asking for your password is secure. A secure site has a padlock icon in the address bar. Different browsers may show this in different ways. The Raven login screen always has a green padlock. If you click on the padlock, a drop down box will usually show the web site owners name. Use this to confirm whether the site is real, for Raven the owners' name is always "University of Cambridge". But spoof sites can also have a padlock, so it is important to check that a padlock is visible and that the web address is the one you expect. Look carefully at this web page, there are 2 address bars, one of them is a screenshot of the site it is impersonating. The other has a very different web address! If you had entered your password, your login details would have been stolen. What about web sites that do not use Raven? A common trick is for fake sites to use a domain name that looks similar, the one it imitates. This site looks as if it belongs to the BBC, but it doesn't. The BBC's website is There is no "info-" in their real address. Similarly, this address for apple dot com looks suspicious – did you notice that there is a zero rather than an "o" is the word "com"? There are several other clues to help you spot bogus sites including: No contact details on the site. Intrusive adverts crowding the page or ones that are explicit or suggestive, or ads that ask you to take a survey. Check for safe browsing by entering the web address here: If you think you have accidently entered your University details into a fake site, change your password immediately. Use the password application to do this, do ask for help from your local IT Officer or the UIS service desk 01223 762999 or email Forward anything suspect, the security team will block fake web login pages to protect you and other users. You can also report via your IT department, the service desk or through our web form. If you use Microsoft Online, the two login addresses look like this. And this. These are safe. We thought you’d like to know that!

STOP! THINK! Before you CLICK!

What is phishing, and what can I do about it?

Phishing is an attempt to extract your passwords, your personal data or University sensitive information, that is then used for criminal purposes. These scammers use email, social media, phone calls, or face to face methods to phish for information. Phishing is becoming more and more likely each day. It is estimated that in the University, there are around 1000 attacks an hour. These scam emails attempt to trick you to click on a link that takes you to a malicious web site, or opens an attachment that installs a virus. In March 2017, a scam email was sent to Cambridge users. Its aim was to trick people to enter their login information. A link in the email went to a mock up of a Raven login page. Unfortunately, a surprisingly large number of people clicked it and gave away their password. Only a few hours later, scammers logged on to one of these accounts and used it to send more scam emails. NEVER login to Raven via a link in an email So how do you recognise a scam email? Some are easy to spot, they offer you something "too good to be true" or inform you that you have won an academic prize; they may state that you have been given a bursary or extra grant funding. Delete them. Don't reply to this type of message and DON'T go to any link they include However, you are more likely to click on a malicious link if you are expecting invoices or shipping notifications. In these cases be particularly vigilant. But what if you are unsure? Take an example from Mags, a Cambridge user. Mags received an email attempting to get her to click on a link. But Mags was suspicious.

Instead she reported the incident to us. If Mags had clicked the link, a virus would have been installed on her computer. Well done Mags, and THANK YOU. We want to know about ANYTHING that looks suspicious! But how do you know if a link in an email is legitimate? Hovering your mouse over the link can reveal the scammers fake link. Also, look to see if the link in the browser's title bar shows a suspect or bogus link. What else should you look for? If you see an email from an address like this, it is highly likely to be a phishing scam. There are only a handful of University ROLE addresses ending “” This is the actual address for HR, If you are unsure, view the genuine @cam addresses by looking in the UIS help pages. These scam emails sometimes appear to originate from an @cam sender, but they don't. You can check for valid Cambridge users by searching the University Lookup directory. These days it is important to take much more care before responding to an email. If anything looks suspicious, rather than clicking an email link, consider going directly to the web site. Or give the sender a ring to make sure that it is a genuine request. If you think you have been deceived in any way, contact the UIS service desk, your local IT support or Computer Officer and change your password immediately if you are advised to do so.

STOP! THINK! Before you CLICK!


What is Spear phishing?

Spear phishing is a malicious email, phone call or face to face contact that is specifically directed at YOU.
Criminals target you by taking any publicly available information from your workplace and your posts on social media, such as Facebook or Twitter.
Scammers may also try to obtain information over the phone or face to face by impersonating a company or department you trust.
So what can you do to avoid being scammed? It’s important that you confirm the identity of people who ask for personal or sensitive information before you release it.
If you have areas in your work place that are not publically accessible, you may need to check that strangers are being accompanied by their host or are genuine visitors, by asking to see their visitors badge.
Another way scammers can target you is to trick you to install a bad app on your phone or tablet, giving them access to your contacts and private information. Only install apps via the official store.
Spear Phishing emails will often use your name and job title and may appear to come from a colleague, a friend or a business contact that you trust, say your HR department, HMRC or your bank.
But it isn't; it's from a criminal who wants to find out your credit card and bank account numbers, your passwords, the financial data on your computer, or sensitive information belonging to the University.
Spear phishing emails may ask you to open an attachment, click on a malicious link or to enter your login details into a fake site.
Opening an attachment can install a virus on your computer. You may be surprised to know that your anti-virus software MAY NOT always detect a malware attachment.
What can you do to mitigate being duped? There are a few things to look for. Check that the From and “Reply-To” email addresses look correct.
Check that web links point to expected destinations, mouse over the link to see if the pop up information matches the sending email address.
Check the phone number to see if it is correct or a scam. Go directly to the web site rather than trusting the number in the email.
Read the email signature carefully, does it look authentic? If in doubt, before you CLICK, contact the sender using details found elsewhere.
If you think you are the victim of a scam, gather as much information as you can, then report the incident immediately.
For face to face or phone scams, record the person’s name, telephone number, and what they are asking for.
If you have given away your UIS account details change your password immediately if you are advised to do so.
If you have given away your login details for other services such as your bank, contact your bank directly using details from their web site.
If you have clicked a link or opened an attachment and something unusual happens, a virus or other malware may have downloaded.
Act quickly! Pull the Internet cable out. Turn off your computer.
Contact your local IT support, Computer Officer or the UIS service desk. They are there to help.
STOP! THINK! Before you CLICK!

Choosing a strong and memorable password

Do all my computers and user accounts need a password? Yes they do! One of the commonest causes of hacked computers, tablets or phones is a non-existent or weak password. How do you choose a safe PASSWORD? Follow these simple guidelines. Firstly, your passwords should be as long as possible, use at least 12 characters. Passwords shouldn't consist of a single word in ANY language. Use both UPPER CASE & lower case characters. You can also use non alpha-numeric symbols. But don’t use easily sourced personal information, such as your birthday, the name of your pet, your CRSid, your postcode, or street name. Instead, DO USE a passphrase such as Apple Currents Chicken Armour. Using popular words such as your favourite movie are less safe. Random unassociated words are much stronger, so use them if you can remember them. For example, Unrelated words with punctuation, a sentence that is nonsense, the first letter of each word in a phrase or song title, but avoid well known quotes or sayings. Never give password information out through an unsolicited phone call or in an email. Don’t write them down or share with ANYONE. No, not even your PET! Please don’t use the same password for everything, especially not these: 123456, qwerty or password, which are the most commonly used passwords and very easy to crack! Use different passwords for your home and work computers. Be discreet while typing your password, don't let others see you key it in. Another thought, if you are travelling, remember to check that your password characters are available on foreign keyboards. If you use your own devices for work purposes such as a tablet or a phone or laptop ensure that these are secured by a password or pin. So, how do you recognise a good password? Not this one, Apple will take a computer micro seconds to crack! Whereas Apple-Curr will take one year, it has just five more characters. But it can still be improved. Apple-Currents-Chicken-Armour takes 72 decillion years to crack using today's tools! We haven't tested this but the principle holds, use a long passphrase. So, a question for you. Which password is the strongest? A) or B) My favourite ice cream is chutney? The correct answer is: B Remember, size does matter! and it is the LENGTH that is important. The longer and more unpredictable the better, but do keep it memorable! So how do you change your UIS password? Go here. But what if you have passwords for other institutional systems? Go to your local IT Officer or contact the UIS service desk. You can check to see how safe your passwords are using the Password Management system. Can’t remember all your passwords? We all have that problem. Remember, don’t write them down! But don’t worry, there is a solution to this. Consider using a password manager application to store your passwords, but do be careful before you download any such software.

Contact your friendly local IT Department or Computer Officer for advice, or email the UIS Service Desk,